Overview

overview

10

Static

static

7

129cb1051f...0N.exe

windows7-x64

10

129cb1051f...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    129cb1051fb995b0430d33bd0645fc40N.exe

  • Size

    21KB

  • MD5

    129cb1051fb995b0430d33bd0645fc40

  • SHA1

    6c059ba7d4c2a22ae385d0c36e40f70b603ebe79

  • SHA256

    ec0721b5b04d16cbf73dda17accc9ae72c06761c462c54a4106d67fb91b0a4ff

  • SHA512

    6d67f6bcc54042441e149a1f51bdf0d1497fd89cdc6e6226486c8bf5a2fbada88e85641fcd989015ad079cc2321b47f5eb03d86351a8e4da87325b128770edf0

  • SSDEEP

    384:UBWoC5GDr6wc/w3HgM6vDUTAXBGCVf4WVlFvXf50605:rRkiLw3HsDSARGG/R0L5

Score
10/10
defense_evasiondiscoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Drops file in Drivers directory 1 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

    defense_evasion
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:620
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3596
        • C:\Users\Admin\AppData\Local\Temp\129cb1051fb995b0430d33bd0645fc40N.exe
          "C:\Users\Admin\AppData\Local\Temp\129cb1051fb995b0430d33bd0645fc40N.exe"
          2⤵
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2464
          • C:\Windows\SysWOW64\rmass.exe
            "C:\Windows\system32\rmass.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Windows security modification
            • Indicator Removal: Clear Persistence
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3828
            • C:\Windows\SysWOW64\rmass.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:3664

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\RECOVER32.DLL
        Filesize

        5KB

        MD5

        2b2c28a7a01f9584fe220ef84003427f

        SHA1

        5fc023df0b5064045eb8de7f2dbe26f07f6fec70

        SHA256

        9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb

        SHA512

        39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

        Download Submit

      • C:\Windows\SysWOW64\ahuy.exe
        Filesize

        23KB

        MD5

        6e181c873702cbf23e60ca6749c2c59d

        SHA1

        2d3e2430763f9b75f05223ea43ad082529113721

        SHA256

        ac400551b7aaed16632dec35701df8b045461c2a1c2f73612510f17dd67a64c6

        SHA512

        32aed8fc4f00e2df92d29d9357971e0908a0c6d383f9cb530a0b15db9b28dd8f9742e9cfc0dc421baed3d047ba005ddf12578fa90ad53fa87bfc45473c9c6166

        Download Submit

      • C:\Windows\SysWOW64\ntdbg.exe
        Filesize

        24KB

        MD5

        4375237f0e0fca4a782839b5bd70a71d

        SHA1

        159dffc7b2a6debd93b441eac8f6942b3d53f9ad

        SHA256

        a6b78b56c820792335142b3123d9e282bdb18b664a64285fa4b11e23b006c840

        SHA512

        393ab48ba9d25fb7e29f3aeb82b610ff8a716f8279453c8a7e5192486952ddfc53cda4bf06941aeea148de9f8d5137771635bd57c876ee8eeaff33f9b60864b6

        Download Submit

      • C:\Windows\SysWOW64\rmass.exe
        Filesize

        21KB

        MD5

        129cb1051fb995b0430d33bd0645fc40

        SHA1

        6c059ba7d4c2a22ae385d0c36e40f70b603ebe79

        SHA256

        ec0721b5b04d16cbf73dda17accc9ae72c06761c462c54a4106d67fb91b0a4ff

        SHA512

        6d67f6bcc54042441e149a1f51bdf0d1497fd89cdc6e6226486c8bf5a2fbada88e85641fcd989015ad079cc2321b47f5eb03d86351a8e4da87325b128770edf0

        Download Submit

      • memory/2464-0-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2464-7-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3664-18-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3828-52-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download